GitLab 9.5.4, 9.4.6, and 9.3.11 released

Today we are releasing versions 9.5.4, 9.4.6, and 9.3.11 for GitLab Community Edition (CE) and Enterprise Edition (EE).

These versions contain several security fixes, including fixes for several persistent Cross-Site Scripting (XSS) vulnerabilities, a fix for a hard to exploit race condition in project uploads, a fix for a CSRF token leakage vulnerability, a fix for a bug that could allow deleted repositories to be left on disk and copied by a user that knew their full path, some important Mattermost updates, a fix for a critical vulnerability in the Nokogiri library, a fix for a vulnerability that could allow the disclosure of private SSL certificates in Pages sites, and several more. We recommend that all GitLab installations be upgraded to one of these versions.

Please read on for more details.

Cross-Site Scripting (XSS) vulnerability in profile names

An external security audit performed by Madison Gurkha disclosed a Cross-Site Scripting (XSS) vulnerability in user names that could be exploited in several locations. #36979, #37344

Open Redirect in go-get middleware

Tim Goddard via HackerOne reported that GitLab was vulnerable to an open redirect vulnerability caused when a specific flag is passed to the go-get middleware. This vulnerability could also possibly be used to conduct Cross-Site Scripting attacks. #31508

Race condition in project uploads

Jobert Abma from HackerOne reported that GitLab was vulnerable to a race condition in project uploads. While very difficult to exploit this race condition could potentially allow an attacker to overwrite a victim's uploaded project if the attacker can guess the name of the uploaded file before it is extracted. #29652

Cross-Site Request Forgery (CSRF) token leakage

naure via HackerOne reported that GitLab was vulnerable to CSRF token leakage via improper filtering of external URLs in relative URL creation. A specially crafted link configured in a project's environments settings could be used to steal a visiting user's CSRF token. #31045

Potential project disclosure via project deletion bug

An internal code review discovered that removed projects were not always being deleted from the file system. This could allow an attacker who knew the full path to a previously deleted project to steal a copy of the repository. These releases prevent the leftover repository from being accessed when creating a new project. The project deletion bug will be fixed in a later release. #36743

Mattermost updates

Mattermost has recently released important security fixes for the Mattermost versions included with GitLab CE+EE Omnibus packages. Details will be made available on Mattermost's website according to their responsible disclosure policy.

An external security audit performed by Recurity-Labs discovered a UI redressing vulnerability in the GitLab markdown sanitization library. #36098

DOM clobbering in sanitized MD causes errors

An external security audit performed by Recurity-Labs discovered a DOM clobbering vulnerability in the GitLab markdown sanitization library that could be used to render project pages unreadable. #36104

The bundled Nokogiri library has been updated to patch an integer overflow vulnerability. Details are available in the Nokogiri issue. #29992

Security risk in recommended Geo configuration could give all users access to all repositories

An internal code review discovered that GitLab Geo instances could be vulnerable to an attack that would allow any user on the primary Geo instance to clone any repository on a secondary Geo instance. #3271

GitLab Pages private certificate disclosure via symlinks

An external security review conducted by Recurity-Labs discovered a vulnerability in GitLab Pages that could be used to disclose the contents of private SSL keys. #75

Security risk in recommended Geo secondary configuration could give all users access to all repositories

GitLab EE 8.6.0-9.3.11, 9.4.0-9.4.6, 9.5.0-9.5.4

GitLab Pages private certificate disclosure via Symlinks

GitLab CE+EE 8.6.0-9.3.11, 9.4.0-9.4.6, 9.5.0-9.5.4

We recommend that all installations running a version mentioned above be upgraded as soon as possible. No workarounds are available for these vulnerabilities.

Upgrade barometer

These versions do not include any migrations and will not require downtime.

Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-migrations file.